Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
pdimitrakis
Contributor
Contributor
‎2024-03-27 04:20 AM

JWT authentication in mashup

We are trying to login our html mashup to Qlik Cloud using JWT auth.

We have already setup the JWT identity provider in the Qlik management console.
The JWT token is created using a php library and send for authorisation using the following code:

 

    var config = {
        host: 'qwxxxxxxxxxxxxxx.eu.qlikcloud.com',
        prefix: '/',
        port: 443,
        isSecure: true,
        webIntegrationId: 'xxxxxxxxxx', // from qlik management console
        jwt: "eyJhb....UA", //token created using the php library
    };    
	
	async function login() {
        function isLoggedIn() {
            console.log("checking logged in");
            return fetch("https://" + config.host + "/api/v1/users/me", {
                method: 'GET',
                mode: 'cors',
                credentials: 'include',
                headers: {
                    'Content-Type': 'application/json',
                    'qlik-web-integration-id': config.webIntegrationId
                },
            }).then((response) => {
                return (response.status === 200);
            });
        }

        return isLoggedIn().then((loggedIn) => {
            if (!loggedIn) {
                console.log("not logged in");
                return fetch("https://" + config.host + "/login/jwt-session", {
                    method: 'POST',
                    mode: 'cors',
                    credentials: 'include',
                    headers: {
                        'Content-Type': 'application/json',
                        'qlik-web-integration-id': config.webIntegrationId,
                        'Authorization': 'Bearer ' + config.jwt,
                    },
                }).then((response) => {
                    if (response.status !== 200) {
                        console.log("failed logged in");
                        throw new Error('failed to login via jwt');
                    }
                });
            } else {
                console.log("already logged in");
            }
        });
    }

 

 

The response we get from the request is the following:

 

{
    "errors": [
        {
            "title": "Authentication failed",
            "detail": "No identity-provider is able to complete the exchange",
            "code": "LOGIN-1",
            "status": "401"
        }
    ],
    "traceId": "9cf4f041f5b6aa685eca85cce00075c3"
}

 

 

The JWT token is valid and properly decoded. We tested it by removing the "nbf" from the payload and the response mentioned that the nbf was missing.

Any thoughts what can be the problem?
Thanks in advance

Labels (1)
Labels
268 Views
0 Likes
1 Solution

Accepted Solutions
Damien_Villaret
Support
Support
‎2024-03-27 07:56 AM

@pdimitrakis 

The only suspicious thing I see is that you are missing "kid" (keyid) in the JWT header, my header looks like this:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "c4xxxxxxxxxxx72"
}

 

If the issue is solved please mark the answer with Accept as Solution.

View solution in original post

215 Views
4 Replies
Damien_Villaret
Support
Support
‎2024-03-27 04:30 AM

Hi @pdimitrakis 

Can you share the exact content (structure) of your JWT token?
You can use the debugger on jwt.io to get it.

Please mask any sensitive information.

If the issue is solved please mark the answer with Accept as Solution.
260 Views
0 Likes
pdimitrakis
Contributor
Contributor
‎2024-03-27 04:49 AM
Author

Hi @Damien_Villaret ,

JWT header
{
  "typ": "JWT",
  "alg": "RS256",
  "jti": "67xxxxxxxxxxx6f",
  "issuer": "qwxxxxxxxxx.eu.qlikcloud.com",
  "iss": "qwxxxxxxxxx.eu.qlikcloud.com"
}

 

JWT payload

{
  "jti": "67xxxxxxxxxxxxxxxxxxxxxxxxx6f",
  "iss": "qwxxxxxxxxxxx.eu.qlikcloud.com",
  "aud": "qlik.api/login/jwt-session",
  "sub": "64xxxxxxxxxxc",
  "subType": "user",
  "iat": 1711529073,
  "nbf": 1711529073,
  "exp": 1711532673,
  "userId": "64xxxxxxxxxxc",
  "name": "Panagiotis Dimitrakis",
  "email": "xxxxxxxxxx",
  "email_verified": true,
  "roles": [
    "RootAdmin"
  ]
}


Some information is duplicate as the names of the payload fields were found different is other responses regarding the payload.

257 Views
0 Likes
Damien_Villaret
Support
Support
‎2024-03-27 07:56 AM

@pdimitrakis 

The only suspicious thing I see is that you are missing "kid" (keyid) in the JWT header, my header looks like this:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "c4xxxxxxxxxxx72"
}

 

If the issue is solved please mark the answer with Accept as Solution.
216 Views
pdimitrakis
Contributor
Contributor
a month ago
Author

You were right @Damien_Villaret 
Thanks a lot.

Just for the reference, after the login worked I tried cleaning the JWT token headers and payload and the minimum working set is:

 

headers
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "2xxxxxxxxb"
}

 

 

payload

{
  "jti": 1711610797, //random unique, i.e timestamp
  "iss": "qxxxxxxxxxx8.eu.qlikcloud.com",
  "aud": "qlik.api/login/jwt-session",
  "sub": "6xxxxxxxxxxxxxxc", //the user id
  "subType": "user",
  "iat": 1711610797,
  "nbf": 1711610797,
  "exp": 1711614397,
  "name": "John Doe",
  "email": "xxxxxxxx@xxxxxxxx.com",
  "email_verified": true
}

 

 

 

185 Views
0 Likes